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INTRODUCTION 


Cloud security concerns remain high as the adoption of public cloud computing continues 
to surge, especially in the wake of the 2020 COVID crisis and the resulting accelerated shift 
to remote work environments. 


The 2021 Cloud Security Report has been produced by Cybersecurity Insiders to explore 
how organizations are responding to the evolving security threats in the cloud and the 
continued shortfall of qualified security staff. 


Key survey findings include: 


e Despite rapid adoption of cloud computing, security remains a primary issue for cloud 
customers. Virtually all surveyed cybersecurity professionals (96%) confirm they are at 
least moderately concerned about public cloud security, a small increase from last 
year’s survey. 


e We asked survey participants about the biggest barriers holding back faster cloud 
adoption. Among the key barriers to cloud adoption, organizations mention lack of 
qualified staff (39%) as the biggest impediment to faster adoption, followed by data 
security issues (34%) and legal & regulatory compliance (32%). 


e A majority of organizations (57%) expect their cloud security budget to increase over 
the next 12 months. On average, organizations allocate 28% of their security budget to 
cloud security. 


e We asked organizations how they would rate their overall security readiness. A majority of 
73% rate their security readiness average or below average. Only half as many say they 
are above average (27%). 


e As in previous years, the continuing shortage of not only qualified cybersecurity staff 
but also the lack of security awareness and skills among all employees remains the 
number one security challenge for organizations. To alleviate this shortage, cybersecurity 
professionals agree that 6 out of 10 employees would benefit from security training 
and/or certification for their jobs. 


Many thanks to (ISC} for supporting this important research project. We hope you find 
this report informative and helpful as you continue your efforts in securing your cloud 
environments. 


Thank you, 
Holger Schulze 


Holger Sthulze CEO and Founder 
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SECURITY IN PUBLIC CLOUDS 


Despite rapid adoption of cloud computing, security remains a key issue for cloud customers. Virtually 
all surveyed cybersecurity professionals (96%) confirm they are at least moderately concerned about 
public cloud security, a small increase from last year’s survey. 


Cloud users are particularly concerned with risks arising from misconfiguration of the cloud platform, 
exfiltration of sensitive data, and unauthorized access (see page 8). 


> How concerned are you about the security of public clouds? 


O Of organizations are moderately 
x” A to extremely concerned 
O about cloud security. 


1% 3% 


23% 41% 


Not at all concerned Extremely concerned 


E Not at all concerned W Slightly concerned E Moderately concerned {Mf Very concerned W Extremely concerned 
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CLOUD SECURITY CONFIDENCE 


The heightened concerns about cloud security have a negative impact on organizations’ confidence 
in their own cloud security posture. A majority of organizations are at best only moderately confident 
in their cloud security posture (72% - up from 66% in last year’s survey). While confidence has been 
declining over time, we still see an alarming degree of overconfidence not supported by the backdrop 
of security incidents and challenges presented in this report. 


The biggest challenges causing loss of confidence in cloud security include concerns around data loss/ 
leakage, data privacy/confidentiality, and accidental exposure of credentials (see page 5). 


> How confident are you in your organization’s cloud security posture? 


O Of organizations are not at all 
confident to moderately confident 
O in their cloud security posture. 


8% 12% 22% 6% 


Not at all confident Extremely confident 


E Not at all confident E Slightly confident §§§ Moderately confident E Very confident E Extremely confident 
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CLOUD SECURITY CONCERNS 


While cloud providers offer increasingly robust security measures as part of their cloud services, it is the 
customer who is ultimately responsible for securing their workloads in the cloud. The most significant 
cloud security challenges highlighted in our survey are unchanged from last year: data loss/leakage (64% 
- down five percentage points since last year), data privacy/confidentiality (62% - down four percentage 
points), and accidental exposure of credentials (46% - up two percentage points). 


> What are your biggest cloud security concerns? 


Om ( = 
4% 62% 46% 


Data loss/leakage Data privacy/ Accidental exposure 
confidentiality of credentials 


44% 40% 38% 36% 


Legal and Visibility & Incident Data sovereignty/ 
regulatory transparency response residency/control 
compliance 


Lack of forensic data 24% | Business continuity 24% | Liability 23% | Availability of services, systems, and data 23% | Disaster 
recovery 22% | Having to adopt new security tools 18% | Performance 16% | Fraud (e.g., theft of SSN records) 15% | 
Not sure/other 5% 
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OPERATIONAL SECURITY HEADACHES 


Cybersecurity professionals are faced with numerous complications around protecting cloud 
workloads. Lack of qualified security staff (49%) remains number one on the list of day-to-day 
headaches (up from 47% in last year’s survey), followed by compliance (40%) and visibility into 
infrastructure security (36% - up from 33% in 2020). 


> What are your biggest operational, day-to-day headaches trying to protect cloud 
workloads? 


9% 40% 36% 


Lack of Compliance Visibility into 
qualified staff infrastructure security 


34% 29% 28% 28% 28% 


Can't identify Setting Implementing Automatically Justifying 
misconfigurations consistent continuous and enforcing security more security 
quickly security policies automated security across multiple expenditure 
controls in clouds 
the cloud 


Setting the correct user access privileges 28% | Security can’t keep up with the pace of changes to new/existing applications 27% | 
Securing access from personal and mobile devices 26% | Lack of integration with on-prem security technologies 25% | 

Complex cloud to cloud/cloud to on-prem security rule matching 25% | No automatic discovery/visibility/control to infrastructure 
security 22% | Understanding network traffic patterns 21% | Securing traffic flows 20% | Reporting security threats 20% | 
Remediating threats 20% | Lack of feature parity with on-prem security solution 13% | No flexibility 3% | Not sure/other 11% 
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BARRIERS TO CLOUD ADOPTION 


We asked survey participants about the biggest barriers holding back faster cloud adoption. Among 
the barriers to cloud adoption, organizations mention lack of qualified staff (39% - up from 37%) as the 


biggest impediment to faster adoption, followed by data security issues (34%) and legal & regulatory 
compliance (32%). 


> What are the biggest barriers holding back cloud adoption in your organization? 


a 
9% 34% 32% 


Ww 


Lack of staff Data security, Legal & regulatory 
resources or loss & leakage compliance 
expertise risks 


~ 


22% 


29% fm ame, 


Integration with General Fear of vendor Loss of control 


existing IT security risks lock-in 
environment 


Internal resistance and inertia 21% | Complexity managing cloud deployment 21% | Lack of budget 20% | Cost/lack of ROI 19% 
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BIGGEST CLOUD SECURITY THREATS 


We asked what security threats cybersecurity professionals see facing public clouds. The biggest 
threat remains misconfiguration of the cloud platform (67%), followed by exfiltration of sensitive 
data (59%) and tying at 49% are unauthorized access and insecure interfaces. 


> What do you see as the biggest security threats in public clouds? 


N p= 
1% 59% 49% 49% 


Misconfiguration Exfiltration of Unauthorized Insecure 
of the cloud sensitive data access interfaces/APIs 
platform/wrong 
setup 


40% 31% 36% 34% 


External Hijacking of Malicious Foreign 
sharing of data accounts, services, insiders state-sponsored 


or traffic cyber attacks 


Malware/ransomware 31% | Denial of service attacks 26% | Cloud cryptojacking 16% | Theft of service 13% | Lost mobile devices 8% 
Don’t know/other 7% 
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TRADITIONAL TOOLS IN THE CLOUD 


Organizations are faced with unique security challenges presented by cloud computing. 
Unfortunately, most legacy security tools are not designed for the dynamic, distributed, virtual 
environments of the cloud. Eighty-one percent of organizations say traditional security solutions 
either don’t work at all in cloud environments or have only limited functionality — a one percentage 
point improvement from last year’s survey (82%). 


> How well do your traditional network security tools/appliances work in cloud 
environments? 


19% 


All capabilities 
work in the cloud 


81% 


Claim traditional security 
solutions either don’t 
work at all or have 
limited functionality. 


11% 


Our traditional 
network security 
tools don’t work 

in the cloud 


64% 


Limited 
functionality 
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DRIVERS OF CLOUD-BASED 
SECURITY SOLUTIONS 


Organizations recognize several key drivers for the rapid adoption of cloud computing and the 
deployment of cloud-based security solutions. Better scalability (55%), faster time to deployment 
(48%), and cost savings (40%) are the top three drivers. This is followed by reduced efforts around 
patches and software updates (38%) and better performance (35%). 


> What are the main drivers for considering cloud-based security solutions? 


Ky aD 
J% 48% 40% 


Better Faster time Cost 
scalability to deployment savings 
(o) ce) (o) (e) 
38% D. u om | 
Reduced effort Better Better visibility into Need for secure 
around patches performance user activity and app access from 
and upgrades system behavior any location 


of software 


Our data/workloads reside in the cloud (or are moving to the cloud) 32% | Meet cloud compliance expectations 30% | 
Easier policy management 27% | Better uptime 26% | Reduction of appliance footprint in branch offices 23% | Other 1% 
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BARRIERS T0 CLOUD-BASED 
SECURITY ADOPTION 


Cloud-based security solutions offer significant advantages, yet barriers to cloud adoption still 
exist. The survey reveals that the biggest challenges organizations are facing are not about 
technology, but people and processes. Staff expertise and training (53%) continues to rank as the 
highest barrier, followed by lack of integration with on-premises security technologies (37%) and 
budget challenges (36%). 


> What are the main barriers to migrating to cloud-based security solutions? 


3% 37% 36% 
Staff expertise Lack of integration Budget 


training with on-premises 
security technologies 


34% 33% 31% 


Data Data Regulatory Solution 
privacy residency compliance maturity 
requirements 


Sunk cost into on-premises tools 20% | Limited control over encryption keys 18% | Integrity of cloud security platform (DDoS 
attack, breach) 13% | Scalability and performance 9% | Not sure/other 9% 
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CLOUD BENEFITS 


Cloud users confirm that the cloud is delivering on the promise of flexible capacity and scalability 


(57%), increased agility (47%), and improved availability and business continuity (46%). 


> What overall benefits have you already realized from your cloud deployment? 


> © È 
I% 4% 46% 


More flexible Increased Improved 
capacity/scalability agility availability and 
business continuity 


D. sn) =) 31% 


Moved expenses Accelerated Accelerated time Reduced 
from fixed deployment to market cost 
CAPEX (purchase) and provisioning 


to variable OPEX 
(rental/subscription) 


Improved performance 31% | Improved security 28% 
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PATHS TO STRONGER 
CLOUD SECURITY 


When asked about organizations’ responses to changing security needs, the use of native cloud 
provider security tools (62%) and training and certifying IT staff (61%) rank as the top tactics 
organizations deploy to assure their evolving security needs are met. This is followed by partnering 
with an MSSP (33%), hiring staff dedicated to cloud security (31%), and deploying security software 
from independent vendors (30%). 


> When moving to the cloud, how do you handle your changing security needs? 


& 


% 61% 


Use native cloud Train and/or certify 


provider security tools existing IT staff 
(e.g., Azure Security Center, 
AWS Security Hub, Google Cloud 
Command Center) 


33% 31% 30% 


Partner with a Hire staff dedicated Deploy security 
software from 


Managed Security to cloud security . 
Services Provider (MSSP) independent vendors 
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CLOUD SECURITY BUDGET 


A majority of organizations (57%) expect their cloud security budget to increase over the next 12 
months. On average, organizations allocate 28% of their security budget to cloud security. 


> How is your cloud security budget changing in the next 12 months? What percentage of 
your IT security budget is allocated to cloud security? 


O 
557% a 28% 


cloud security 


36% 


Budget 
will stay flat 


KE 


O 
I%E 
Budget 
will decline 
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SECURITY READINESS 


We asked organizations how they would rate their overall security readiness. A majority of 73% rate 
their security readiness average or below average. Only half as many say they are above average (27%). 


> How would you rate your team’s overall security readiness? 


Above average Average Below average 


Of those rating their overall security readiness average or below average, 78% believe their teams 
would benefit from cloud security training and/or certification. 


> Do you think you or your team need cloud security training and/or certification(s) to be 
better equipped to operate in cloud environments? 


13% 9% 


Yes No Not sure 
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SECURITY TRAINING 
AND CERTIFICATION 


As in previous years, the continuing shortage of not only qualified cybersecurity staff, but also the lack 
of security awareness and skills among all employees remains the number one security challenge for 
organizations. To alleviate this shortage, cybersecurity professionals agree that six out of 10 employees 
would benefit from security training and/or certification for their jobs. 


> What percentage of your employees would benefit from security training and/or 
certification for their job? 


J9% 


Of employees would 
benefit from 
security training. 


41% 


> Which of the following certifications does your employer require you or your team to have? 


cCiss? rr, 70% 
ccsP i 38% 

cism [25% 

cisa 23% 

Security + J 20% 

CEH MB 15% 

ccsk B 14% 
crisc Mi 11% 
ospc E 10% 
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TRAINING FOCUS 


We asked what security training topics organizations would find most valuable. The top priorities include 
cloud-enabled cybersecurity (68%), followed by incident response (45%), risk-based frameworks (39%), 
and application security (38%). 


> Which of the following topic areas would you find most valuable for ongoing training and 
education to be successful in your current role? 


BR S&S 
8% 45% 39% 38% 


Cloud-enabled Incident Risk-based Application 
cybersecurity response frameworks security 
33% 31% à 31% ù 28% 
Regulatory DevOps Soft skills Mobile 
compliance (e.g., leadership, security 


effective teamwork, 
communicating to 
persuade/educate) 


PIL 26% | Digital forensics 23% | Internet of Things (loT) 20% | Identifying social engineering/phishing 20% | Open source 
vulnerabilities 15% | Not sure/other 5% 
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METHODOLOGY & DEMOGRAPHICS 


The 2021 Cloud Security Report is based on a comprehensive survey of 613 cybersecurity 
professionals conducted in May 2021, to uncover how cloud user organizations are responding to 
security threats in the cloud, and what training, certifications, and best practices IT cybersecurity 
leaders are prioritizing in their move to the cloud. The respondents range from technical executives 
to IT security practitioners, representing a balanced cross-section of organizations of varying sizes 


across multiple industries. 


CAREER LEVEL 


E Specialist Mi Consultant [i Manager/Supervisor [ CTO, CIO, CISO, CMO, CFO, COO W Director [Vice President {ij Other 


DEPARTMENT 


7% 4% 4% 


@ IT Security IT Operations Engineering W Operations Compliance m DevOps = Product Management SecOps [il Other 


COMPANY SIZE 


E Fewer than10 W 10-99 100-499 W 500-999 W 1,000-4,999 [| 5,000-10,000 |) Over 10,000 


INDUSTRY 


| 
23% 22% 10% 7% (SE Ob 4% 4% 


I Financial Services Ml Technology, Software & Internet MiGovernment [Ml Professional Services | Manufacturing M Education & Research 
E Telecommunications Transportation & Logistics Healthcare, Pharmaceuticals, & Biotech ©) Other 


SECURITY CERTIFICATIONS HELD 


26% 2% 19% 13% 12% oo a 


E CISSP W CCSP E CISM E CISA E CEH E Security+ M CRISC Network+ E| Other 
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(So) 


(ISC)? is an international nonprofit membership association focused on inspiring 
a safe and secure cyber world. Best known for the acclaimed Certified 
Information Systems Security Professional (CISSP®) certification, (ISC)? offers 
a portfolio of credentials that are part of a holistic, pragmatic approach to 
security. In 2015, (ISC)* launched the Certified Cloud Security Professional 
(CCSP®) credential for security professionals whose day-to-day responsibilities 
involve procuring, securing, and managing cloud environments or purchased 
cloud services. It is now our fastest growing certification. Our membership, more 
than 150,000 strong, is made up of certified cyber, information, software, and 
infrastructure security professionals who are making a difference and helping to 
advance the industry. Our vision is supported by our commitment to educate 


and reach the general public through our charitable foundation — The Center for 


Cyber Safety and Education™. 


For more information on (ISC)?, visit www.isc2.org, follow us on Twitter or 


connect with us on Facebook and LinkedIn. 
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Are You Staying Ahead of Emerging 


CLOUD SECURITY TRENDS? 


55% of organizations are 78% of survey respondents indicated 
likely or very likely to deploy they or their team need cloud security 
a new cloud security solution training and/or certification(s) to be 

within the next year. better equipped to operate in 


cloud environments. 


Respondents indicated that Cloud Compliance 55% 
lack of qualified staff was the Migrating to Cloud-based security solutions 53% 


main barrier and challenge for: Cloud Adoption 39% 


ULTIMATE GUIDE 


GET YOUR GUIDE 


CCSP CCSP tops “The Next Big Thing” list Certified Cloud 


A n È 
TOP CERT 
ES as the #1 certification survey respondents Sy PAO 
plan to earn in 2021. An (SO Certification 


